This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

Creating secure pages

Oct 28th, 2005, 09:03 AM

Hi all,

You'll have to forgive me if this question is gut-renchingly obvious or annoyingly vague, but I've only started learning Spring recently. Please forgive my inevitable n00bness. Right - disclaimer over with...

I want to have a secure pages on my website only available to logged in users. So my spring controllers should check in the session for the particular key and value, and if it is not found, I want the controllers to return a ModelAndView for the login page. I don't particularly want to be writing request.getSession().contains( key ) in each servlet - so I was wondering what the best spring-like approach to this would be?

Comment

Thanks for the link, looks pretty heavy-weight so I've been playing around with interceptors first to get the general idea.

I've managed to use an interceptor for what I want - it checks the session and if not found does a response.sendRedirect(). However I'd prefer to use a ModelAndView somehow. Is there a way to achieve this?

In that example the handleRequestBefore method returns void, but you can instead return a ModelAndView. If the user is not logged in, handleRequestBefore returns a modelAndView to the login page. If the user is logged in, handleRequestBefore returns null.

Comment

Personally I like to have login/security info "above" the actual application rather than within it, so I use a filter with a standard J2EE security layer (JAAS, Groups and Principals) for this type of thing.